User Naming Attributes
Collapse the table of content
Expand the table of content

User Naming Attributes

As with other directory objects, a user object has names in the form of cn, name, distinguishedName, and objectGUID attributes. Be aware that a user's relative distinguished name (RDN) is the value of the cn attribute. These attributes can be viewed and managed by the Active Directory User and Computers snap-in.

Because a user object is a security principal, it has the following additional naming attributes.



The userPrincipalName is a single-valued and indexed attribute that is a string that specifies the user principal name (UPN) of the user. The UPN is an Internet-style login name for the user based on the Internet standard RFC 822. The UPN is shorter than the distinguished name and easier to remember. By convention, this should map to the user's email name. The point of the UPN is to consolidate the email and logon namespaces so that the user need only remember a single name.

The UPN is the preferred logon name for Windows users. Users should be using their UPNs to log on to the domain. At logon time, a UPN is validated first by searching the local domain, then the global catalog. Failure to find the UPN in the local domain or the GC results in rejection of the UPN.

The UPN can be assigned, but is not required, when the user account is created. When assigned, the UPN is unaffected by changes to other attributes of the user object, for example, if the user is renamed or moved, or changes to the domains in the tree, for example, if a parent domain was renamed or a domain was moved. Thus, a user can keep the same login name, although the directory may be radically restructured. Be aware that the UPN can be changed administratively at any time.

The UPN is a string attribute that can contain any string value. However, the following scheme is recommended.

The user principal name has two parts: the UPN prefix (the user account name) and the UPN suffix (a DNS domain name). The parts are joined together by the at sign (@) symbol to make the complete UPN. For example, the user Someone who has an account in the Example domain would have a UPN of "".

The UPN must be unique among all security principal objects within the directory forest. By default (that is, for the built-in user accounts and user accounts created using the Active Directory Users and Computers snap-in), the UPN can consist of any name for the user (such as the sAMAccountName attribute of the user) and the domain tree name to which the user belongs in the following form: <name>@<tree name>.

The "<tree name>" is the domain name system (DNS) name of a domain, but is not required to be the name of the domain containing the user. However, the "<tree name>" portion of the UPN must be the name of a domain in the current forest or an alternate name listed in the upnSuffixes attribute of the Partitions container within the Configuration container. You can add or remove UPN suffixes by modifying the upnSuffixes attribute (or by choosing Properties for the root node of the Active Directory Domains and Trusts and modifying the UPN suffixes on the UPN Suffixes tab). Usually, the "<tree name>" is the name of the first domain in the first tree of the forest. In most cases, this domain name is the domain name registered as the enterprise domain on the Internet. The "<tree name>" is formatted by binding to the rootDSE on any domain in the forest, reading the RootDomainNamingContext attribute, and then transforming this from DC format (dc=fabrikam,dc=com) to the UPN format ( using the ADSI IADsNameTranslate interface.

When creating a new user object, you should check the local domain and the global catalog for the proposed name to ensure it does not already exist.


The objectGUID attribute is a single-valued attribute that is the unique identifier for the object. This attribute is a Globally Unique Identifier (GUID). When an object is created in the directory, the Active Directory server generates a GUID and assigns it to the object's objectGUID attribute. The GUID is unique across the enterprise and anywhere else.

The objectGUID is a 128-bit GUID structure stored as an OctetString.

Because an object's distinguished name changes if the object is renamed or moved, the distinguished name is not a reliable identifier for an object. In Active Directory Domain Services, an object's objectGUID attribute is never changed, even if the object is renamed or moved to different places. Be aware that you can retrieve the string form of the objectGUID using the IADs.GUID attribute.


The sAMAccountName attribute is a single-valued attribute that is the logon name used to support clients and servers from a previous version of Windows. The sAMAccountName should be less than 20 characters to support these clients and servers.

The sAMAccountName must be unique among all security principal objects within the domain.

Query for the new name against the domain to verify that the sAMAccountName is unique in the domain.

The sAMAccountName must be unique among all security principal objects within a domain container.


The objectSid attribute is a single-valued attribute that specifies the security identifier (SID) of the user. The SID is a unique value used to identify the user as a security principal. It is a binary value that is set by the system when the user is created.

Each user has a unique SID issued by a Windows domain and stored in objectSid attribute of the user object in the directory. Each time a user logs on, the system retrieves the user's SID from the directory and places it in the user's access token. The user's SID is also used to retrieve the SIDs for the groups of which the user is a member and places them in the user's access token. The system uses the SIDs in the user's access token to identify the user and his/her group memberships in all subsequent interactions with Windows security.

When a SID has been used as the unique identifier for a user or group, it cannot be used again to identify another user or group.


The sIDHistory attribute is a multi-valued attribute that contains previous SIDs used for the user object if the user was moved from another domain. When a user is moved from one domain to another, a new SID is created and that new SID becomes the objectSid. The previous SID is added to the sIDHistory attribute, that contains the SIDs from the user's previous domain moves.




© 2016 Microsoft